Our personal information is more valuable than ever. The most recent government cyber threat report warns that foreign state actors have an "enduring interest" in obtaining sensitive and personally identifiable information about Australians.
Author
- Moataz ElQadi
Adjunct Researcher, Faculty of Information Technology, Monash University
In recent weeks, Prime Minister Anthony Albanese noted "there is a cyber attack in Australia roughly every six minutes. This is a regular issue."
In some situations, it can be difficult to protect our info even when we're aware of the risks. Notably, in Australia many rental providers and their agents collect, store and disclose excessive personal information on potential tenants. Sometimes, they collect more info than what's needed to get a government security clearance.
With about one-third of Australian households being renters, the handling of renters' data is a major concern for Australia's information security.
So what information are real estate agents collecting, and how can we mitigate the risks?
Steep competition for rentals
For several years now, Australia has faced a rental crisis . Low vacancy rates - below 1% in some capital cities - not only drive up rental prices , but can result in "bidding wars" over rentals .
With renters competing for housing, rental providers are empowered to command larger rent increases . They also require potential tenants to provide extensive personal information.
For tenants, sharing - or oversharing - of personal information in the hope of securing a home might seem acceptable.
However, the collection and handling of this information raises serious security concerns. If Australians' sensitive personal data falls into the hands of cyber criminals, or foreign agents, this has security implications for the entire nation.
What info are renters asked for?
Potential tenants need to provide information to the satisfaction of the real estate agent and their client, the rental provider. This information is increasingly collected online via rental application websites where the form questions are controlled by real estate agents .
The websites themselves are subject to the Australian Privacy Act 1988 , but the data is handed over to real estate agents and owners.
The rental application websites seem to recognise that this information is extensive: one rental application website started selling a privacy service where they vouch for the applicant instead of sharing their information with the real estate agents.
In some cases, the requested data matches or even exceeds the requirements for a government security clearance . The Australian Government Security Vetting Agency (AGSVA) has a clear public privacy statement . It explains how data is collected and handled and used only for the assessment of a security clearance. Rental providers don't necessarily follow the same stringent rules.
Information collected by some rental application forms may include five or more years of address history. Others request five or more years of employment history. In addition, financial information such as payslips and bank statements are also required.
Other sensitive - and irrelevant - information includes vehicle registration numbers and pet names.
Potential tenants are also usually asked to attach personal identification documents including passports, driver licences and Medicare cards. They may be asked to list up to two personal and one business references.
If any of this information falls into the wrong hands, it easily exposes the person to social engineering , personalised scams or identity and account theft.
Who can access the info?
The names of family members and pet names are a common - albeit unsafe - choice of password. The rental application forms collect both. In Australia, research by Telstra and YouGov found that 20% of Australians used pets' names as passwords, and 17% used their birth dates.
If a rental provider, or their agent, shares applicant information with others, it can be a security breach. This makes the storage, handling and sharing of this information by private rental providers a major concern.
Rental agency agreements commonly state that personal information can be disclosed to "any person who maintains any record, listing or database of defaults by tenants." This policy, which a tenant has to accept, is already loose.
More importantly, after the information is sent to the owner of the rental property, there is no visibility as to who that is, or what they do with the information.
Too much info to rent a home
Having to share extensive personal information is more than an inconvenience for renters - it's a serious security concern. The government should put explicit limits on personal information requested by rental providers.
One technological solution to this problem could be "access tokens" provided by banks. People in Australia are protected by the Consumer Data Right . This allows consumers to authorise a data holder, such as a bank, to share data with an accredited recipient.
Australian banks are held to strict information security requirements . They already handle highly sensitive data, such as client identity, income sources and other financial information.
If real estate agents require proof of this info to vet potential rental applicants, they could request it through an authorisation token with the applicant's bank. This way, proof of identity and financial status could be shared without having to disclose actual sensitive personal information, limiting the cyber security risk.
In the meantime, rental providers and their agents should request the least possible amount of personal information - it's the responsible thing to do.
The article gives the example of the Consumer Data Right, a government standard managed by the Australian Competition and Consumer Commission (ACCC). Moataz ElQadi worked previously for the ACCC, in a different team.
